Planning to control network access

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

This topic is designed to help you plan to control access to and from your internal network. Forefront TMG controls and protects internal network access by inspecting and filtering traffic between the internal network and the Internet, between networks, and between the Forefront TMG server and services with which it communicates.

The following sections describe:

  • Policies and rule sets

  • Processing requests

  • Network relationships

Policies and rule sets

Forefront TMG controls internal network access by enforcing policies that determine whether or not connections between networks are allowed. These policies may be of the following types:

  • Firewall policy—Inspects and filters connections between the internal network and the Internet. The firewall policy is made up of the following rule sets:

    • Access rules—Control outbound Web access, that is, access from internal computer to the Internet.

    • Web publishing rules—Control inbound access to published Web servers.

    • Server publishing rules—Control inbound access to published non-Web servers.

  • System policy—Controls traffic to and from the Local Host network (the Forefront TMG server) to allow traffic and protocols necessary for Forefront TMG to perform authentication, domain membership, network diagnostics, logging, and remote management. Forefront TMG provides a predefined rule set, which is created during system installation. You can enable or disable individual rules, and modify rule destinations; you cannot delete existing rules or create new rules. For more information, see About system policy.

    Note

    In the Forefront TMG Management console, you can view and edit system policy rules in the Firewall Policy node.

  • Network rules—Specify that resources in one network are allowed to communicate with resources in other networks, and what type of relationship (either routing or NAT) exists between the source and destination. For more information, see Network relationships.

Processing requests

Before you edit and create policy rules, read the following information about how Forefront TMG processes requests:

  • Request process flow

  • About access rules

  • About publishing rules

  • Processing names and addresses

  • Handling rules that require authentication

For information about how Forefront TMG enforces policies, see About policy enforcement.

Request process flow

Forefront TMG processes requests as follows:

  1. Checks the request against the network rules to verify that the required network relationship exists between the request’s source and destination.

    Note

    Traffic that is handled by the Web proxy filter is not checked against the network rules.

  2. Checks the request against the system policy to determine whether one of system rules allows or denies the request.

  3. Checks the request against the firewall policy in the order in which the rules appear in the list.

  4. After matching the request with a rule, Forefront TMG checks the network rules again (except for traffic handled by the Web proxy filter) to determine whether to route or apply NAT to the traffic.

About access rules

Usually, requests from internal clients are handled by access rules. Access rules can only be configured with outbound protocol definitions. When a request is received, Forefront TMG matches an access rule with the request, by checking the rule elements in this order:

  • Protocol—Rule defines one or more protocols with an outbound direction.

  • From—Source address is defined in the rule. The source can be an entire network, a set of networks, a computer or set of computers, an IP address range, or a subnet.

  • Schedule—Rule schedule controls when the rule is applied.

  • To—Destination is defined in the rule. The destination can be an entire network, a set of networks, a computer or set of computers, an IP address range, a subnet, a domain name set, or a URL set. In some cases, a DNS lookup may be required to check that the request matches. For more information, see Processing domain name sets and URL sets (https://go.microsoft.com/fwlink/?LinkId=159771).

  • Users—Rule applies to all users (for anonymous access), to all authenticated users (applied to any user who can authenticate successfully), or to a specific user group.

  • Content groups—Rule applies to specific content types.

If the request matches an allow rule, the request is allowed. After finding a matching rule, Forefront TMG does not evaluate further rules. Access rules that deny traffic are processed before publishing rules. If a request matches an access rule, the request is denied, even if a publishing rule allows the request.

About publishing rules

Forefront TMG uses the following publishing rule sets to enable access from the external network to published servers on the internal network:

  • Web publishing rules—Enable access to published Web servers. For HTTP or HTTPS requests to a Web listener, Forefront TMG checks publishing rules and then Web chaining rules to determine whether the request is allowed and how it should be handled.

  • Server publishing rules—Enable access to published non-Web servers. For non-HTTP requests, Forefront TMG checks network rules, and then checks publishing rules to determine if requests are allowed.

Processing names and addresses

HTTP requests may contain a name, a fully qualified domain name (FQDN), or an IP address. Forefront TMG handles the name or address as follows:

  • If an HTTP request uses a site name, such as https://www.fabrikam.com, Forefront TMG performs a forward name resolution to a DNS server to obtain the associated FQDN, aliases, and the IP addresses. Then Forefront TMG attempts to match these elements to a rule.

  • If an HTTP request uses an IP address, Forefront TMG first checks whether a rule matches that address. During this process, if Forefront TMG encounters a rule that requires a name, it performs reverse name resolution to obtain the FQDN for that IP address. Forefront TMG can then compare the FQDN to the access rule definitions.

  • If the reverse name resolution fails, only the original IP address in the request is used in comparison to the rule definitions.

Note

When a SecureNAT client requests a site by name, Forefront TMG first verifies that the host header content is not masking an unrelated IP address requested by the client. If this verification succeeds, the process continues as it would for a Web Proxy client.

Handling rules that require authentication

When a rule specifies that authentication is required, Forefront TMG requests the client to present credentials. If the client cannot provide credentials, the request is dropped before the rule is evaluated. SecureNAT clients cannot provide credentials, and if a request from a SecureNAT client matches a rule that requires authentication, the request is dropped.

Network relationships

Network rules specify how traffic is sent between source and destination networks. One of the following relationships can be used in each network rule:

  • Route relationship

  • NAT relationship

Route relationship

Route relationships are bidirectional. For example, if a network rule defines a route relationship from network A to network B, then a relationship also exists from network B to network A. Client requests from the source or destination network are forwarded directly to the other network, with the source and destination IP addresses unchanged. Use a route relationship where IP addresses do not need to be hidden between networks. This is a common configuration between two networks with public IP addresses or between two networks with private addresses. In either case, hosts in each network must define the Forefront TMG IP address in their local network as the route to the other network. In many cases, defining the Forefront TMG IP address as the default gateway is sufficient. When you create access rules or server publishing rules, a route relationship affects traffic as follows:

  • When using access rules, Forefront TMG forwards the traffic with the source and destination IP addresses intact.

  • When using server publishing rules, Forefront TMG forwards the traffic as it does for access rules, but it uses application filters directly. For example, the Single Mail Transfer Protocol (SMTP) filter is not used for SMTP traffic handled by an access rule, but it is used with traffic handled by a server publishing rule.

NAT relationship

Network Address Translation (NAT) relationships between networks are unidirectional. The traffic is handled according to the source or destination of the traffic. Forefront TMG performs NAT as follows:

  • In access rules, Forefront TMG replaces the client IP address on the source network with the Forefront TMG default IP address for the destination network. For example, if you create a NAT relationship in a network rule between the internal network and the external network, the source IP address of a request from the internal network is replaced with the default IP address of the Forefront TMG network adapter connected to the external network. Access rules that handle traffic between networks defined with a NAT relationship can only use the source network specified on the From tab, and the destination network specified on the To tab of the rule.

  • In server publishing rules, the client in the destination network makes a connection to the Forefront TMG IP address on which the publishing rule is listening for requests. When Forefront TMG forwards the traffic to the published server, it replaces the Forefront TMG IP address with the IP address of the internal server that it is publishing, but it does not modify the source IP address. Note that in a NAT relationship, server publishing rules can only access the network specified as the destination network. In addition, because server publishing across networks with NAT leaves the source IP address intact when forwarding traffic to the published server, the published server must use the Forefront TMG computer as the last hop in the routing structure to the destination network. If this is not possible, configure server publishing rules to use the setting Requests appear to come from the Forefront TMG computer. This causes Forefront TMG to perform full NAT on the traffic handled by the rule.

Concepts

About policy enforcement
About system policy
Access design guide for Forefront TMG